Risk Assessment of AWS services used in building a resilient Web App on AWS

We wrote here in the article “Building Resilient Web Applications on AWS: A Comprehensive Approach to Security” how to use certain AWS services to implement a resilient web based application.

The services mentioned require also a brief analysis in respect to Security, Confidentiality, Integrity, Availability and Privacy.

 

CloudTrail

AWS CloudTrail records API calls and creates log files, providing visibility into user activity, resource changes, and actions taken within your AWS account.

Risk Assessment

  • Security: Unauthorized modifications to CloudTrail settings or log tampering.
  • Confidentiality: Exposure of sensitive log data.
  • Integrity: Unauthorized access to CloudTrail logs.
  • Availability: Disruptions in CloudTrail could impact auditability.

Mitigation

Implement access controls, enable log file integrity validation, regularly review logs, and use redundant log storage.

Privacy

  • Data Collection: CloudTrail logs AWS account activity, potentially containing sensitive information.
  • Data Storage: Logs include API calls and identity details, stored securely by AWS.
  • Data Retention: AWS retains logs for a limited time and may use aggregated data for service improvement.

 

CloudWatch

CloudWatch is a monitoring service that provides real-time insights into AWS resources and applications, helping you respond quickly to events or changes in your environment.

Risk Assessment

  • Security: Unauthorized access to CloudWatch data.
  • Confidentiality: Exposure of sensitive monitoring data.
  • Integrity: Unauthorized modifications to monitoring configurations.
  • Availability: Relies on underlying infrastructure; disruptions may impact real-time monitoring.

Mitigation

Implement access controls, encrypt sensitive data, conduct regular audits, and employ redundancy for critical components.

Privacy

  • Data Collection: CloudWatch collects and monitors performance and operational data.
  • Data Storage: Metric data and configurations are stored securely by AWS.
  • Data Retention: AWS retains metric data for a limited time and may use aggregated data for service improvement.

 

AWS IAM

IAM is AWS’ cloud-based identity and access management service, providing authentication and authorization for users and devices.

Risk Assessment

  • Security: Unauthorized access to user accounts or directory configurations.
  • Confidentiality: Exposure of sensitive identity information.
  • Integrity: Unauthorized modifications to user attributes or directory settings.
  • Availability: Downtime impacting authentication and access control.

Mitigation

Implement multi-factor authentication, strong password policies, regular security audits.

Privacy

  • Data Collection: AWS IAM collects and manages user authentication and authorization data.
  • Data Storage: User identities, permissions, and access policies are stored securely by AWS.
  • Data Retention: AWS retains user data for service functionality and may use aggregated data for service improvement, but individual user data is not disclosed externally.

AWS Fargate

AWS Fargate is a serverless compute engine for containers that lets you run containers without managing the underlying infrastructure.

Risk Assessment

  • Security: Unauthorized access to containerized applications.
  • Confidentiality: Exposure of sensitive container configurations.
  • Integrity: Unauthorized modifications to container environments.
  • Availability: Downtime impacting containerized application execution.

Mitigation

Implement access controls, encrypt container data, conduct regular security scans, and deploy in a redundant and scalable manner.

Privacy

  • Data Collection: Fargate processes and manages containerized applications.
  • Data Storage: Task and container configurations are stored securely by AWS.
  • Data Retention: AWS retains task and container data for a limited time and may use aggregated data for service improvement.

AWS WAF (Web Application Firewall)

AWS WAF is a web application firewall that helps protect web applications from common web exploits, such as SQL injection, cross-site scripting (XSS), and other malicious attacks.

It allows users to create custom rules or use managed rule sets to filter and block malicious traffic before it reaches applications.

Risk Assessment

  • Security: Unauthorized access to WAF configurations, potential bypassing of WAF rules by sophisticated attackers.
  • Confidentiality: Exposure of sensitive application data due to successful attacks.
  • Integrity: Unauthorized modifications to WAF rules or configurations.
  • Availability: Downtime or service disruption due to misconfigurations or overwhelming attacks.

Mitigation

Implement strong access controls, regularly update and fine-tune WAF rules, use managed rule sets, enable logging for analysis, and deploy redundant WAF instances for increased availability and load distribution.

Privacy

  • Data Collection: WAF collects logs containing information about incoming requests, potential threats, and blocked requests for security analysis.
  • Data Storage: Logs may include IP addresses and request details but are retained for a limited time, following AWS data retention policies.
  • Data Retention: AWS may use aggregated and anonymized data for improving the service but doesn’t share identifiable customer information.

 

 

AWS Lambda

A serverless stack based on AWS Lambda allows developers to build and deploy applications without managing servers, handling scalability automatically.

Risk Assessment

  • Security: Unauthorized access to serverless functions and configurations.
  • Confidentiality: Exposure of sensitive code and data processed by Lambdas.
  • Integrity: Unauthorized modifications to serverless function code.
  • Availability: Downtime impacting serverless function execution.

Mitigation

Implement access controls, encrypt sensitive data, conduct regular security scans, deploy in a redundant manner, and monitor for anomalies.

Privacy

  • Data Collection: Lambda functions process and execute code, potentially handling sensitive data.
  • Data Storage: Function configurations and logs may include details about processed data.
  • Data Retention: AWS retains logs for a limited time and may use aggregated data for service improvement.

AWS Secrets Manager

AWS Secrets Manager helps you protect access to your applications, services, and IT resources without upfront investment and on-going maintenance costs.

Risk Assessment

  • Security: Unauthorized access to stored secrets.
  • Confidentiality: Exposure of sensitive credentials and configuration details.
  • Integrity: Unauthorized modifications to stored secrets.
  • Availability: Downtime impacting applications relying on stored secrets.

Mitigation

Implement access controls, regularly rotate secrets, encrypt stored secrets, conduct regular audits, and use redundant Secrets Manager configurations.

Privacy

  • Data Collection: Secrets Manager stores sensitive configuration and credential data.
  • Data Storage: Secret configurations and access logs may include details about stored data.
  • Data Retention: AWS retains access logs for a limited time and may use aggregated data for service improvement.

CloudFront

Amazon CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds.

It integrates with other Amazon Web Services products to give developers and businesses an easy way to distribute content to end-users.

 

Risk Assessment

  • Security: Unauthorized access to cached content or configurations, potential for content tampering during distribution.
  • Confidentiality: Exposure of sensitive content during distribution.
  • Integrity: Unauthorized modifications to distribution settings or cached content.
  • Availability: Downtime impacting content delivery due to misconfigurations or attacks.

Privacy

  • Data Collection: CloudFront collects logs that include IP addresses, user-agents, and request details for analytics and troubleshooting.
  • Data Storage: Logs may contain user-related information, but Amazon retains them for a limited period and follows privacy regulations.
  • Data Retention: Amazon may share aggregated and anonymized data for service improvement but doesn’t disclose individual customer data.

AWS S3

Amazon S3 is a scalable object storage service designed to store and retrieve any amount of data at any time.

Risk Assessment

  • Security: Unauthorized access to stored objects or bucket configurations.
  • Confidentiality: Exposure of sensitive data stored in S3.
  • Integrity: Unauthorized modifications to stored objects.
  • Availability: Downtime impacting data storage and retrieval.

 

Mitigation

Implement access controls, encrypt data at rest, conduct regular audits, use versioning, and deploy redundant S3 configurations.

 

Privacy

  • Data Collection: S3 stores object data, potentially including sensitive information.
  • Data Storage: Bucket configurations and access logs may include details about stored data.
  • Data Retention: AWS retains access logs for a limited time and may use aggregated data for service improvement.

EC2 (Elastic Compute Cloud)

AWS EC2 provides resizable compute capacity in the cloud, allowing users to run virtual servers for various applications and workloads.

Risk Assessment

  • Security: Unauthorized access to EC2 instances.
  • Confidentiality: Exposure of sensitive data processed by EC2 instances.
  • Integrity: Unauthorized modifications to instance configurations.
  • Availability: Downtime impacting applications hosted on EC2.

Mitigation

Implement access controls, regularly patch and update instances, encrypt sensitive data, deploy in a redundant manner, and use Auto Scaling for increased availability.

Privacy

  • Data Collection: EC2 instances may process and store data, potentially including sensitive information.
  • Data Storage: Instance configurations and logs may contain details about processed data.
  • Data Retention: AWS retains logs for a limited time and may use aggregated data for service improvement.

© Copyright 2024 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

Related Posts

Understanding ISO 27001:2022 Annex A.13 – Communications Security

We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.13, “Communications Security”, which addresses the importance of securing information during its transmission over communication networks. This annex provides guidelines for implementing controls to protect the confidentiality, integrity, and availability of […]

Securing the Secure: The Importance of Secure Software Practices in Security Software Development

In an increasingly interconnected digital world, the importance of secure software cannot be overstated. Many people think that by using security software all their digital assets become automatically secured. However, it is crucial to recognize that security software itself is not inherently secure by default. To ensure the highest level of protection, security software must […]

Discover more from Sorin Mustaca on Cybersecurity

Subscribe now to keep reading and get access to the full archive.

Continue reading